SFTP only access to server

Posted November 29, 2011, under debian, network, security
Comments Off

I recently installed a NAS server in my home and wanted to give my family and relatives access to it so that they could use it as a remote backup server for photos and stuff. To keep it as secure as possible I only wanted to give them SFTP access.

(All commands below are executed as root.)

First I created a group to group them together and then added the users to that group. I choose to disable their password as I only allow logins using SSH keys.

addgroup sftponly
# Repeat the line below for each user
adduser --disabled-password --ingroup sftponly ausername

As for the upload directory I wanted them to upload their data to my raid1 volume mounted under /data/pool1. Since OpenSSH has some requirements for the permission on the directories used as chroot I created the following directory layout.

cd /data/pool1
mkdir -m 751 sftp
ln -s . sftp/home
# Repeat the lines below for each user
mkdir -m 700 sftp/ausername
chmod ausername.root sftp/ausername

The home symlink is there to make the initial SFTP directory /ausername and the sftp directory is created with 751 to disallow directory listing in the top directory.

Then, as “all components of the pathname must be root-owned directories that are not writable by any other user or group” and /data/pool1 is not root owned I created a bind mount by adding the following to /etc/fstab.

/data/pool1/sftp  /srv/sftp  bind  bind  0  0

Before the initial mount, the directory must be created.

mkdir /srv/sftp
mount /srv/sftp

Then, the final part was to configure OpenSSH by adding the following lines at the end of /etc/ssh/sshd_config.

Match Group sftponly
  ChrootDirectory /srv/sftp
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no

Remember to restart the server afterwards.

Comments Off

Handelsbanken login now works on Linux

Posted November 2, 2011, under linux
Comments Off

Thanks to the hard work done by the FriBID project I was today able to login to Handelsbanken (my bank) using the card reader connected to the computer. This by following the instructions on the FriBID wiki. Good stuff!

I’m using Ubuntu 11.10 on amd64.

Comments Off

Faster resume with (k)ubuntu Natty

Posted April 3, 2011, under computers
Comments Off

After upgrading to Kubuntu Natty beta 1 the time for resuming (from RAM) my HP ProBook 6450b has improved significant. Previously I had to wait up to a minute until the wireless card was up and running and I had Internet access. Now it’s only a matter of seconds. My Linux laptop is now fully on par with my old Apple iBook when it comes to suspend/resume (the only area where it was previously lagging).

I can’t say for sure why it’s better now, but I like to think that it’s due to Broadcom’s full-source release of their wireless drivers. Thank you Broadcom!

Comments Off

ELF Auxiliary Vectors

Posted October 30, 2010, under linux
Comments Off

Interesting article about ELF Auxiliary Vectors. Found it after reading a comment mentioning AT_SECURE in the LWN article about glibc vulnerabilities.

Comments Off

Getting Licq to build with pbuilder

Posted September 26, 2010, under debian
Comments Off

I wanted to test that I had specified the correct Build-Depends in my Debian package of Licq 1.5.0-rc2. It seemed like the simplest way to do this was to create a personal builder installation and build the package in that chroot.

So I did:

sudo pbuilder create --debootstrapopts --variant=buildd

Building should then be as simple as executing:

git-buildpackage --git-builder=/usr/share/doc/git-buildpackage/examples/gbp-pbuilder --git-cleaner="fakeroot debian/rules clean"

Or it should have been that simple. Unfortunately the build failed with:

Fatal: no entropy gathering module detected

After some googling and testing; the fix was to add two random devices to the chroot:

sudo pbuilder login --save-after-login
mknod -m 666 /dev/random c 1 8
mknod -m 666 /dev/urandom c 1 9
chmod 666 /dev/null
exit

(The change of permission for /dev/null was needed to avoid getting errors later in the build process.)

Comments Off

Git is not always better than subversion

Posted September 25, 2010, under computers
Comments Off

Yesterday I wished I had used svn instead of git as VCS for Licq’s debian package, when I accidentally deleted my local git clone with lots of commits that I hadn’t pushed…

Luckily I had all the changes in a different format so I didn’t have to redo all the work, but I had to spend time trying to commit the changes in a somewhat logical way.

Comments Off

New GPG key

Posted September 14, 2010, under computers
Comments Off

Following the instructions on how to create a new GPG key I have now created a new, more secure, GPG key. The new key’s id is 7E28522C, it’s signed with my old key and available on a key server near you.

Comments Off

debian/licq.git mirror on Gitorious

Posted April 18, 2010, under linux
Comments Off

To get better speed and a backup I’ve set up a mirror of debian/licq.git on Gitorious.org.

I don’t really know the best way to do this, but I did it by adding the following line to hooks/post-update:

git push --mirror git@gitorious.org:licq/debian.git

This way the mirror will always be updated when I push to the “real” repository.

Get it by running

% gbp-clone --pristine-tar git://gitorious.org/licq/debian.git

or clone it on Gitorious and send me merge requests :)

Comments Off

Compiler bug

Posted March 14, 2010, under programming
Comments Off

To see if Licq would build without warnings with gcc 4.5 I tried to build Licq trunk with the latest gcc-snapshot in Debian today. Three warnings were quickly fixed but a bigger problem was that the unit test hung; something which doesn’t happen with earlier gcc.

After some digging it turned out to be a problem with locking. A mutex was never unlocked when returning in the exception handler. This was very strange as the unlocking should be done by the MutexLocker destructor.

I was able to reproduce the problem with a simple test program so I concluded that it was indeed a compiler bug and reported it: Destructor not called when returning in exception handler.

Not every day you get to find a compiler bug…

Comments Off

/me is the new Debian maintainer for Licq

Posted January 15, 2010, under debian
Comments Off

Update 2010-10-30: Changed the initial setup to use gbp-clone.

I’m now officially the maintainer of Licq’s Debian packages. Since I’m not a real Debian maintainer, I’m very grateful to Joel Rosdahl who is my sponsor.

Version 1.3.8-1 is coming to a mirror near you as I write this.

The package source is kept in my git repository. To build the package from the git repository, install git-buildpackage and pristine-tar then follow the instructions below.

Initial setup:

% gbp-clone --pristine-tar git://git.ejohansson.se/debian/licq.git

% git clone git://git.ejohansson.se/debian/licq.git
licq % cd licq
licq % git checkout -b pristine-tar origin/pristine-tar
licq % git co master

To build the latest version:

licq % git-buildpackage --git-export-dir=../build-area

To build a specific version:

licq % git-buildpackage --git-export-dir=../build-area --git-export=debian/1.3.8-1

The final packages will be available in ../build-area.

Later on when you wish to update:

licq % git pull
licq % git-buildpackage ...

The next version will have qt4-gui.

Comments Off
Older Entries